Issued:: 2019-10-10
Updated:: 2019-10-10

RHSA-2019:3023 - Security Advisory

Overview
Updated Packages

Synopsis

Moderate: ovirt-engine-ui-extensions security and bug fix update

Type/Severity

Security Advisory: Moderate

Red Hat Insights patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

An update for ovirt-engine-ui-extensions is now available for Red Hat Virtualization Engine 4.3.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

The ovirt-engine-ui-extensions package contains UI plugins that provide various extensions to the oVirt administration UI.

Security Fix(es):

bootstrap: XSS in the data-target attribute (CVE-2016-10735)
bootstrap: XSS in the tooltip data-viewport attribute (CVE-2018-20676)
bootstrap: XSS in the affix configuration target property (CVE-2018-20677)
bootstrap: XSS in the tooltip or popover data-template attribute (CVE-2019-8331)
js-jquery: prototype pollution in object's prototype leading to denial of service or remote code execution or property injection (CVE-2019-11358)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Bug Fix(es):

Known moderate severity security vulnerability detected by GitHub on ovirt-engine-ui-extensions components (BZ#1694035)

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/2974891

Affected Products

Red Hat Virtualization Manager 4.3 x86_64

Fixes

BZ - 1668082 - CVE-2018-20676 bootstrap: XSS in the tooltip data-viewport attribute
BZ - 1668089 - CVE-2018-20677 bootstrap: XSS in the affix configuration target property
BZ - 1668097 - CVE-2016-10735 bootstrap: XSS in the data-target attribute
BZ - 1686454 - CVE-2019-8331 bootstrap: XSS in the tooltip or popover data-template attribute
BZ - 1701972 - CVE-2019-11358 js-jquery: prototype pollution in object's prototype leading to denial of service or remote code execution or property injection
BZ - 1752576 - [Tracking] ovirt-engine-ui-extensions 1.0.10

CVEs

References

https://access.redhat.com/security/updates/classification/#moderate

Note: More recent versions of these packages may be available. Click a package name for more details.

Red Hat Virtualization Manager 4.3

SRPM
ovirt-engine-ui-extensions-1.0.10-1.el7ev.src.rpm	SHA-256: 4cf2b97d20b4274022857c3f5ed76fda0dbec1669238b533c0723d6c4719da4b
x86_64
ovirt-engine-ui-extensions-1.0.10-1.el7ev.noarch.rpm	SHA-256: b266f5cdce93012868e7af3c098fef95d5bb272cb2a785c3154e04e41f04ce1e

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.

Select Your Language

Infrastructure and Management

Cloud Computing

Storage

Runtimes

Integration and Automation